Systems and methods for updatable applets

ABSTRACT

Embodiments of the invention relate to a technique for updating a device comprising a first and second applets implementing application code. The technique may include determining that the application code needs to be updated, generating a verification value, and sending the verification value and updated code for a function in the first applet. The updated code for the function can be stored in the second applet instead of the first applet, and the function maps of the applets can be updated to reflect the address of the updated function. The updated code can then be executed using the updated function maps to perform a process.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/122,539 filed Sep. 5, 2018, which is a continuation of U.S. patentapplication Ser. No. 14/589,293 filed Jan. 5, 2015, which is anon-provisional of and claims the benefit of priority to U.S.Provisional Application No. 61/923,627 filed Jan. 3, 2014, the entirecontents of all of which are hereby incorporated by reference for allpurposes.

BACKGROUND

The capability and prevalence of payment devices such as credit cards,debit cards, and payment-enabled mobile phones continues to increase.For example, many payment devices comprise a processor and a storageelement including executable code and data. In some cases, it may bedesirable to update code or data stored on the storage element.

However, such an update may be inconvenient for various reasons. Forexample, the update may affect more than the portion of code or datathat needs to be altered since the update may require deleting all codeand data on the storage element and re-loading the updated code anddata. This may require re-personalization of data every time an updateis applied and may be costly in terms of processing time, networkbandwidth, and power utilized to carry out an update.

Accordingly, there is a need for a system that may be capable of aneffective method to apply an update without affecting the whole storageelement.

Embodiments of the present invention address these problems and otherproblems individually and collectively.

BRIEF SUMMARY

Embodiments of the present invention are directed to methods, systems,apparatuses, and computer-readable mediums that enable a code update toan application installed on a device (e.g., a payment device) withoutrequiring the update of the entire contents of the storage medium.

Embodiments of the invention are directed to a device whose executablecode (e.g., application code) may include two applets: an updatableapplet and a static applet. For some embodiments, a device is disclosedcomprising a processor, and one or more memories (e.g., a secureelement) storing an updatable applet, and a static applet incommunication with the updatable applet, wherein the device isconfigured to receive updates to the updatable applet. In someembodiments, the device may be a payment device that can be used toconduct payment transactions, and may be in the form of a paymentenabled mobile device (e.g., a mobile phone, a tablet, or other suitableforms of portable communication device that a user can carry).

According to embodiments of the present invention, the updatable appletmay refer to any data or code stored in a storage medium that may beupdated or modified (e.g. an electrically-erasable programmable readonly memory (EEPROM)) while the static applet may refer to any data orcode stored in a storage medium that is unmodifiable or difficult tomodify (e.g. a read-only memory (ROM)). Both the static and updatableapplets may comprise some or the entirety of the personalization data.

Some embodiments of the invention allow patches or updates to be appliedto the payment device without re-loading all the executable code orre-personalizing all the payment data. Updated code may be loaded as anew version of the updatable applet while the previous version of theupdatable applet may be deleted. When a new version of the updatableapplet is implemented, the updatable applet may be linked to the staticapplet during instantiation. A function map may associate functions withtheir corresponding memory locations and may update accordingly whenupdated code is added to the updatable applet. Previous data stored intothe static applet may remain unaltered, which eliminates the need tore-personalize all the payment data after an updated version of theexecutable code is loaded and installed.

When an update is implemented, the updatable applet is modified toincorporate not only the updated features, but may also include theequivalent functionality of original code of the static applet beforethe update if the original code is being replaced or patched. When theupdated code of the updatable applet is dependent upon any data in thestatic applet, the updatable applet may retrieve relevant data from thestatic applet and then apply the updated code. In some embodiments,updated data elements may be passed back to the static applet as well.

One embodiment of the present invention is directed to a method forprocessing data using application code including a static appletcomprising a first plurality of software functions and an updatableapplet comprising a second plurality of software functions stored on acomputing device, and an access control software element. The methodcomprises determining, by a data processor, that the application code(e.g., static applet and/or updatable applet) needs to be updated. Themethod further comprises updating, by the data processor, the updatableapplet and a function map comprising addresses for the softwarefunctions in the updatable applet and the static applet. The methodfurther comprises executing, by the data processor, the updatable appletand the static applet, through the access control software element,using the updated function map, to perform a process.

According to embodiments of the present invention, the updatable appletand static applet may comprise shared interfaces that indicate functionsthat can be accessed by certain modules. The access control softwareelement may control access between the updatable applet and staticapplet based on the shared interfaces.

These and other embodiments of the invention are described in furtherdetail below.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows an exemplary system that may be used with embodiments ofthe invention.

FIG. 2 shows mobile device that may be used with embodiments of theinvention.

FIG. 3 shows a diagram of subcomponents in an example of a static appletand an example of an updatable applet.

FIG. 4 shows a diagram illustrating the use of functions in sharedinterfaces in accordance with some embodiments of the invention.

FIG. 5 shows a method for updating an updatable applet according to someembodiments of the invention.

FIG. 6 shows an example of a function call flow diagram and acorresponding function map for one embodiment of the invention.

FIG. 7 shows an example of an updated function call flow diagram and acorresponding updated function map for one embodiment of the invention.

FIG. 8 shows a block diagram of an exemplary computer apparatus.

DETAILED DESCRIPTION

Embodiments of the invention enable a code update without the need toupdate the entire contents of the storage medium of a device. The devicemay comprise a static applet and an updatable applet, where updates tothe static applet may be carried out by altering the updatable appletand updating a function map containing addresses for software functionsin the static applet and updatable applet. This allows for contents inthe static applet to remain unmodified, while enabling updated or newfunctionality and features from updated code. In some embodiments, everytime an update is applied to the updatable applet, the static applet mayverify the updatable applet by a public/private key encryption process.

In embodiments of the invention, the code in the updatable applet andthe static applet may be executed based on the updated function map andthrough an access control software element. For example, when updatedcode is added to the updatable applet, the function map may be updatedto reflect the address that updated code was added into the updatableapplet instead of the formerly associated address in the static applet.When executing code in the updatable applet and static applet,information may be accessed through an access control software elementthat may regulate access between modules containing functions in sharedinterfaces. In embodiments of the invention, the static applet andupdatable applet may both comprise shared interfaces.

Prior to discussing embodiments of the invention, description of someterms may be helpful in understanding embodiments of the invention.

The term “server computer” may include a powerful computer or cluster ofcomputers. For example, the server computer can be a large mainframe, aminicomputer cluster, or a group of servers functioning as a unit. Inone example, the server computer may be a database server coupled to aWeb server. The server computer may be coupled to a database and mayinclude any hardware, software, other logic, or combination of thepreceding for servicing the requests from one or more client computers.The server computer may comprise one or more computational apparatusesand may use any of a variety of computing structures, arrangements, andcompilations for servicing the requests from one or more clientcomputers.

A “static applet” may include any data or code that is stored in astorage medium, and is substantially unmodifiable, difficult to modify,or otherwise not modified in ordinary use without updating the entirecontents of the storage medium. In some embodiments, the storage mediumcan be a secure element of a communication device. In some cases, astatic applet as described herein may be implemented using a technologythat may allow for modification of data and code by a trusted entity.However, modification of the static applet is difficult or impossibleduring normal operation of the device which stores and executes thestatic applet.

An “updatable applet” may refer to any data or code that is stored in astorage medium that may be updated or modified. In some embodiments, thestorage medium can be a secure element of a communication device, andthe updatable applet can be updated or modified without updating theentire contents of the secure element. In some embodiments, the storagemedium storing the updatable applet may be a separate memory coupled toa secure element. In contrast to a static applet, an updatable appletmay be updated during normal operation.

A “secure element” is an example of a trusted execution environment. Asecure element securely stores applications and/or credentials (e.g.,financial account numbers) and provides for secure execution ofapplications. The secure element may comprise a secure memory andexecution environment that is a dynamic environment to securely storeapplication code and data and administer the secure execution ofapplications. The secure element may comprise computing logic, such as a8-32 bit CISC/RISC processor, a crypto processor for encrypting,decrypting and signing data packets using security algorithms such asAES, DES, ECC, a random number generator, a secure memory (e.g.,implemented as ROM, RAM, and/or EEPROM/Flash), a communication interfaceand a memory management unit. The secure element may also providedelimited (i.e., with definable limits) memory for each application.

A “function” may comprise written computer instructions that may beexecuted to perform a specified operation. A function may be utilized aspart of a larger software program. In some cases, a prewritten set offunctions may be stored in a software library. In some cases, functionsmay be written to perform specialized tasks. A function may or may notreturn a value when executed.

A “function map” may store logical connections between functions andtheir corresponding characteristics. For example, a function map maycomprise a software table containing an entry for each function and anassociated characteristic for each function. Information stored in afunction map may be updated, altered, or deleted during execution of asoftware program. In embodiments of the invention, a function map mayassociate each function with its corresponding location in memory. Thefunction map may be accessed to determine the memory address of code tobe executed when making a function call. The information stored in thefunction map may be updated to reflect a change made to thefunctionality of a function, which may be stored in a new memorylocation.

A “module” may be a portion of a software program. For example, a modulemay comprise one or more functions. In some cases, a software programmay be composed of one or more independently developed modules. Inembodiments of the invention, one or more functions residing in theupdatable applet or static applet may make up a module.

An “interface” may be a boundary across which two entities or systemsmay communicate with each other. A shared interface may be a type ofinterface through which an entity may share its information with one ormore other entities. In some embodiments, a shared interface mayindicate specific entities that may access certain information definedin the shared interface. For example, a first entity may comprise ashared interface. The shared interface may comprise code or dataassociated with the first entity. Additionally, the shared interface maycomprise identifiers of other entities that may access the informationstored in the shared interface. A second entity may request access toinformation in the shared interface. If the shared interface indicatesthat the second entity may access the information, then the secondentity may be able to communicate with and utilize information in theshared interface of the first entity. In embodiments of the invention, amodule may comprise a shared interface, which may comprise functions ordata that may be shared, as well as indicate the modules that may accessthe shared interface. In some embodiments, the modules that may gainaccess may be identified by the names of functions within the modules.

An “access control software element” may regulate communication betweenmultiple entities. A firewall may be an example of an access controlsoftware element and may prevent unrestricted access to or from anentity. A firewall may be implemented by software and may be customizedwith certain functionalities and protection features. In embodiments ofthe invention, an updatable applet and a static applet may be executedthrough an access control software element in order to perform aprocess. The access control software element, which may be a firewall,may determine whether entities may request certain code or data from theshared interfaces of the updatable applet or the static applet.

Embodiments of the invention provide several advantages. For example,embodiments enable a device comprising an updatable applet and a staticapplet to be updated without requiring the entire contents of a secureelement to be replaced. Updating an updatable applet as described forembodiments of the invention may allow the update to be smaller andfaster to deploy than if data or code of a static applet was alsorequired to be updated.

Embodiments of the invention provide the additional advantage ofavoiding the re-personalization of a secure element after installing anupdate. For example, in some embodiments, a static applet may comprisepersonalization data such as a user's name, account details, and paymentinformation. An updatable applet may comprise other ancillary functionsrelating to payment transactions. Since an update only modifies theupdatable applet, this allows the static applet to be maintained as-iswith the personalization data. Further, since personalization data isisolated from the updatable applet, the updatable applet may be keptsubstantially identical for multiple users. Thus, the infrastructurerequired to deploy updates may be reduced.

Embodiments of the invention provide the further advantage of reducingtesting requirements for updates. In some cases, core features may beimplemented on the static applet, and value-add or other ancillaryfeatures may be implemented on an updatable applet. Thus, if a testingor certification process is required for updates to core features, thecertification may only need to be performed once (i.e., when the staticapplet is loaded). Further testing or certification may be avoided ifupdates to the updatable applet do not change core functionality.

I. Payment Systems and Methods

FIG. 1 shows a system according to an embodiment of the invention. Thesystem comprises a user (not shown) who may operate a mobile device 200.The user may use mobile device 200 to conduct payment transactions incommunication with a merchant computer 102. As used herein, a “mobiledevice” may include a mobile phone, tablet, netbook, laptop, or anyother suitable mobile computing device. Merchant computer 102 may beconnected to acquirer computer 103. Acquirer computer 103 may beconnected to issuer computer 105 via payment processing network 104.Mobile device 200, merchant computer 102, and acquirer computer 103 mayalso be in communication with a mobile gateway 101 by a communicationnetwork 107.

A “mobile gateway” may include any suitable network point that acts asan entrance to another network. A mobile gateway according to anembodiment of the invention may include a server that is configured toreceive encrypted payment information from a mobile device, validate themobile device, decrypt the payment information, and send it to acomputing device. In some embodiments of the invention, a mobile gatewaymay be operated as part of a merchant computer 102, acquirer computer103, or payment processing network 104, instead of being a stand-aloneentity.

The communication network 107 may include any suitable network entitiesand devices that can enable connectivity amongst various entities. Insome embodiments of the invention, the communication network 107 mayenable wireless communication that may to allow the exchange ofinformation between entities. In some embodiments, a communicationsnetwork may be any one and/or the combination of the following: a directinterconnection; the Internet; a Local Area Network (LAN); aMetropolitan Area Network (MAN); an Operating Missions as Nodes on theInternet (OMNI); a secured custom connection; a Wide Area Network (WAN);a wireless network (e.g., employing protocols such as, but not limitedto a Wireless Application Protocol (WAP), I-mode, and/or the like);and/or the like.

An “issuer” may typically refer to a business entity (e.g., a bank) thatmaintains financial accounts for a user and often issues a mobile device200 such as a credit or debit card to the user. A “merchant” istypically an entity that engages in transactions and can sell goods orservices. An “acquirer” is typically a business entity (e.g., acommercial bank) that has a business relationship with a particularmerchant or other entity. Some entities can perform both issuer andacquirer functions. Some embodiments may encompass such single entityissuer-acquirers. Each of the entities may comprise one or more computerapparatuses (e.g., merchant computer 102, acquirer computer 103, paymentprocessing network 104, and issuer computer 105) to enablecommunications or to perform one or more of the functions describedherein.

The payment processing network 104 may include data processingsubsystems, networks, and operations used to support and delivercertificate authority services, authorization services, exception fileservices, transaction scoring services, and clearing and settlementservices. An exemplary payment processing network may include VisaNet™.Payment processing networks such as VisaNet™ are able to process creditcard transactions, debit card transactions, and other types ofcommercial transactions. VisaNet™, in particular, includes a VIP system(Visa Integrated Payments system) which processes authorization requestsand a Base II system which performs clearing and settlement services.

The payment processing network 104 may include one or more servercomputers. A server computer is typically a powerful computer or clusterof computers. For example, the server computer can be a large mainframe,a minicomputer cluster, or a group of servers functioning as a unit. Inone example, the server computer may be a database server coupled to aWeb server. The payment processing network 104 may use any suitablewired or wireless network, including the Internet.

In some payment transactions, the user purchases a good or service atmerchant computer 102 using a mobile device 200. The user's mobiledevice 200 can interact with an access device 106 at a merchantassociated with merchant computer 104. The access device 106 may be anysuitable device that may comprise the capability to accept a transactionmade by a payment device. For example, the user may tap the mobiledevice 200 against an NFC reader in the access device 106. When themobile device 200 interacts with the access device 106 or merchantcomputer 102, the access device 106 or merchant computer 102 maycommunicate with a mobile application. Alternatively, the user mayindicate payment details to the merchant electronically, such as in anonline transaction.

An authorization request message may be generated by mobile device 200or merchant computer 102 and then forwarded to the acquirer computer103. After receiving the authorization request message, theauthorization request message is then sent to the payment processingnetwork 104. The payment processing network 104 then forwards theauthorization request message to the corresponding issuer computer 105associated with an issuer associated with the user.

An “authorization request message” may be an electronic message that issent to a payment processing network and/or an issuer of a payment cardto request authorization for a transaction. An authorization requestmessage according to some embodiments may comply with ISO 8583, which isa standard for systems that exchange electronic transaction informationassociated with a payment made by a user using a payment device orpayment account. The authorization request message may include an issueraccount identifier that may be associated with a payment device orpayment account. An authorization request message may also compriseadditional data elements corresponding to “identification information”including, by way of example only: a service code, a CVV (cardverification value), a dCVV (dynamic card verification value), anexpiration date, etc. An authorization request message may also comprise“transaction information,” such as any information associated with acurrent transaction, such as the transaction amount, merchantidentifier, merchant location, etc., as well as any other informationthat may be utilized in determining whether to identify and/or authorizea transaction, such as a cryptogram signing the transaction data (e.g.an authorization request cryptogram), etc. The authorization requestmessage may also include other information such as information thatidentifies the access device that generated the authorization requestmessage, information about the location of the access device, etc.

After the issuer computer 105 receives the authorization requestmessage, the issuer computer 105 sends an authorization response messageback to the payment processing network 104 to indicate whether thecurrent transaction is authorized (or not authorized). The paymentprocessing network 104 then forwards the authorization response messageback to the acquirer 103. In some embodiments, payment processingnetwork 104 may decline the transaction even if issuer computer 105 hasauthorized the transaction, for example depending on a value of thefraud risk score. The acquirer 103 then sends the response message backto the merchant computer 102.

An “authorization response message” may be an electronic message replyto an authorization request message generated by an issuing financialinstitution 105 or a payment processing network 104. The authorizationresponse message may include, by way of example only, one or more of thefollowing status indicators: Approval—transaction was approved;Decline—transaction was not approved; or Call Center—response pendingmore information, merchant must call the toll-free authorization phonenumber. The authorization response message may also include anauthorization code, which may be a code that a credit card issuing bankreturns in response to an authorization request message in an electronicmessage (either directly or through the payment processing network 104)to the merchant computer 102 that indicates approval of the transaction.The code may serve as proof of authorization. As noted above, in someembodiments, a payment processing network 104 may generate or forwardthe authorization response message to the merchant.

After the merchant computer 104 receives the authorization responsemessage, the merchant computer 104 may then provide the authorizationresponse message for the user. The response message may be displayed bythe mobile device 200, or may be printed out on a physical receipt.Alternately, if the transaction is an online transaction, the merchantmay provide a web page or other indication of the authorization responsemessage as a virtual receipt. The receipts may include transaction datafor the transaction.

At the end of the day, a normal clearing and settlement process can beconducted by the payment processing network 104. A clearing process is aprocess of exchanging financial details between an acquirer and anissuer to facilitate posting to a customer's payment account andreconciliation of the user's settlement position.

Payment transactions in accordance with the invention may also beconducted in any other suitable manner. For example, instead of mobiledevice 200 communicating with merchant computer 102, a user's portableuser device (e.g., a credit card, debit card, or smart card) may be usedat an access device (e.g., a point of sale (POS) terminal) connected tomerchant computer 102.

II. Applet Systems

FIG. 2 illustrates a mobile device 200 that may be used in embodimentsof the invention. The mobile device 200 may include a mobile phone,tablet, netbook, laptop, or any other suitable mobile computing device.Mobile device 200 may comprise a memory 210, a secure element 250, anddevice hardware 260. The memory 210 may comprise a mobile application211, such as a mobile wallet application or mobile payment application.The secure element 250 may comprise account data 251, an updatableapplet 252, and a static applet 253.

Mobile application 211 may include any mobile program, software, orother suitable executable code suitable to conduct a paymenttransaction. In some embodiments, mobile application 211 may be amerchant-specific application. In other embodiments, mobile application211 may be general purpose, such as a web browser. In some embodiments,the mobile application 211 may comprise mobile application features 220,account management logic 230, and cloud-based payment logic 240.

The mobile application features 220 may include payment modes 221,verification methods 222, and user settings 223. Payment modes 221 mayinclude logic required to support various ways of setting mobileapplication 211 and mobile device 200 to initiate a payment, and mayinclude support for various types of payment. Verification methods 222may include logic required to confirm a mobile application passcode,device verification method, or any other verification informationmethods supported by mobile application 211. User settings 223 mayinclude any logic required to apply settings indicated by the user ofthe mobile application 211 on the mobile device 200. Mobile application211 may receive user settings 223 options, or a subset thereof, in asuitable manner or assume a default for one or more of the options. Usersettings 223 may describe the general behavior of mobile application 211and may include options to select or change payment modes, passwords,and any other characteristics surrounding the use of the mobileapplication 211.

Account management logic 230 of mobile application 211 may include logicto process information for a cloud-based payments service. Such logicmay be for account enrollment 231, account provisioning 232, accountlifecycle management 233, active account management 234, and postpayment 235. Account enrollment 231 includes logic for a consumer toinitiate the enrollment of an account to the cloud-based paymentservice. Account provisioning 232 includes logic to process the issuerdata to configure the account into mobile application 211, including theprovisioning of the initial account parameters. Account lifecyclemanagement 233 may include logic to initiate and process accountlifecycle events such as consumer initiated delete, issuer-initiateddelete, issuer-initiated suspend, and/or issuer-initiated resume, etc.Active account management 234 is utilized to initiate a request toupdate parameters when account parameter thresholds 241 have beenexceeded. Post payment 235 interactions logic is utilized to supportpayment verification and may include logic to receive and respond torequests for the mobile application transaction log 235. Post payment235 interactions logic can also be utilized to support accountreplenishment, and may include logic to extract required information(i.e., sequence counter) from transaction log 242 to send as part of anaccount parameter replenishment request.

Cloud-based payment logic 240 of mobile application 211 may includecontactless payment logic 244, proximity payment system environment(PPSE) logic 243, a transaction log 242, and account parameterthresholds 241. Contactless payment logic 244 includes functionalitiesthat enable contactless communications to conduct a contactlesstransaction with a contactless reader of an access device 106 associatedwith a merchant computer 102. PPSE 243 may be utilized to inform thecontactless payment terminal which payment product is available onmobile device 200. The payment terminal may then utilize thisinformation to select the payment account to initiate a contactlesstransaction. Transaction log 242 may be utilized for post-paymentsupport. For example, mobile application 211 may maintain a transactionlog 242, which may be hidden from the consumer. It may retaintransaction details for transactions initiated from mobile device 200.Mobile application 211 may utilize the system transaction verificationlog 242 to support active account management processes and post paymentinteractions. Account parameter thresholds 241 are initially configuredand can potentially be updated with different thresholds to informmobile application 211 when to initiate a request for updated accountparameters.

The secure element 250 may securely store account data 251, updatableapplet 252, and static applet 253. In some embodiments, one or more ofmobile application 211, updatable applet 252, and static applet 253 maybe stored in the secure storage memory of a secure element 250. In someembodiments, PPSE 243 functionalities may be provided from secureelement 250.

The account data 251 may comprise any information relating to a useraccount associated with a mobile device 200. The account data 251 mayinclude user credentials, such as financial account numbers, and anyother sensitive information that may be associated with a user account.The account data 251 may be utilized by mobile application 211 toexecute a transaction.

Updatable applet 252 may include any API, service, application, applet,or other executable code stored on a mobile device 200 (e.g., in asecure element 250). Updatable applet 252 may be configured to executepayment functionality implemented by static applet 253, retrieve paymentinformation from static applet 253, and communicate with mobileapplication 211.

In some embodiments, updatable applet 252 may communicate with mobileapplication 211 using an application programming interface (API). Forexample, updatable applet 252 may comprise one or more classesimplementing interfaces defined in the API. The mobile application 211may utilize the API to perform various payment related functions, suchas receiving payment account information associated with a paymentaccount.

In some embodiments, updatable applet 252 may include one or moreclasses and methods that are common to all multiple transactional paths(e.g., incrementing a transaction count or retrieving a cardverification code) or data that would likely be updated or patched whena new function is introduced (e.g., a list of manufacturer IDs).

Static applet 253 may include any API, service, application, applet, orother executable code stored on a mobile device 200 (e.g., in a secureelement 250). Static applet 253 may comprise one or more shareableinterfaces that are accessible by updatable applet 252. Updatable applet252 may also comprise one or more shareable interfaces that areaccessible by static applet 253. In some embodiments, static applet 253may only be accessed through the shareable interfaces. In addition, insome embodiments, the static applet 253 may only be accessed byupdatable applet 252. This improves security, since access to sensitivefunctionality is limited both in scope (specifically to the sharedinterfaces), and to a single point of entry (i.e., the updatable applet252).

In some embodiments, data personalization may be solely handled by thestatic applet 253. The updatable applet 252 may be patched or modifiedwithout a need to re-personalize static applet 253. This reduces codecomplexity, minimizes errors, and reduces performance issues due to datatraffic. In such embodiments, when a patch is needed, the updatableapplet 252 may receive data from the static applet 253 to be used in thepatched code. If the functionality of the static applet 253 is patchedor updated, the main process of the updatable applet 252 may be updatedto get data from the static applet 253 and then call the patched code.Any updated data elements will be passed back to the static applet 253.Processing can continue based on an updated function map that isdescribed in detail below.

In some embodiments, updatable applet 252 and static applet 253 maycomprise data containers, each of which may contain multiple dataelements. These containers can help minimize the number of data elementsthat are created when a new instance of updatable applet 252 or staticapplet 253 is created, thus improving deployment performance andreducing infrastructure needs.

It should be noted that although updatable applet 252 and static applet253 are shown in FIG. 2 as being included in a mobile device 200,embodiments are not so limited. For example, in some embodiments,updatable applet 252 and static applet 253 may be included on a smartcard. Further, updatable applet 252 may communicate directly withmerchant computer 102 or an access device 106 (e.g., at a POS terminal)associated with the merchant computer 102.

Device hardware 260 of mobile device 200 may comprise processor 261,display 262, user interface 263, contactless element 264, and antenna265.

Processor 261 may be any suitable processor operable to carry outinstructions on the mobile device 200. The processor 261 is coupled tovarious units of the mobile device 200, including memory 210, secureelement 250, display 262, and any other components of device hardware260 and mobile device 200.

The processor 261 may comprise one or more CPUs. A CPU comprises atleast one high-speed data processor adequate to execute programcomponents for executing user and/or system-generated requests. The CPUmay be a microprocessor as those that are commercially available fromIntel or AMD.

Display 262 may be operable to visually present any information to auser using mobile device 200. In some embodiments, the display 262 mayallow the user to trigger input elements. For example, the user mayactivate a software button or slider by touching display 262.

User interface 263 may be displayed on display 262 and may be utilizedby the user of mobile device 200 to interact with mobile application211. User interface 263 may be implemented by software and may displaybuttons, indicators, and other input elements that may affect thefunctionality of mobile application 211 based on user input. In someembodiments, user interface 263 may prompt the user for certaininformation or may allow the user to instruct the mobile application 211or mobile device 200 to carry out certain operations. For example, theuser may interact with user interface 263 to alter the state of usersettings 223 of mobile application 211.

Contactless element 264 may enable mobile device 200 to interface withaccess device 106 to complete a transaction. Contact element 264 mayinclude a near field communications data transfer element or anysuitable form of short range or contactless communication technology.

Antenna 265 may be utilized by mobile device 200 to send and receivewireless communications. Antenna 265 may assist in connectivity to theInternet or other communications network, and enabling data transferfunctions. Antenna 265 may enable SMS, USSD, as well as other types ofcellular communications, such as voice call and data communications.

FIG. 3 shows a diagram of subcomponents in an example of a static applet253 and updatable applet 252. The static applet 253 and updatable applet252 may reside on any suitable device, such as in a secure element 250of a mobile device 200 as shown in FIG. 2. The static applet 253 and theupdatable applet 252 may communicate through an access control softwareelement, such as firewall 370.

Static applet 253 may comprise a shared interface 310, private functions320, function map 330, as well as one or more data elements, includingpersistent data 332 and transient data 334. The shared interface 310 andprivate functions 320 may comprise one or more functions or modules.

The function map 330 may associate functions in updatable applet 252 andstatic applet 253 with corresponding locations in memory. The functionmap 330 may be updated when an update is made to the updatable applet252. Before calling a function, the static applet 253 may access thefunction map 330 to determine what code to execute when processingfunctions. In some embodiments, the function map 330 may be synchronizedto match the values in the function map 360 stored in the updatableapplet 252.

Persistent data 332 may comprise any information that may remain instorage when utilized by the static applet 253 to execute variousprocesses. For example, persistent data 332 may include one or moreclasses (i.e., software defining properties of software entities) thatmay be utilized to implement the functions defined by the static applet253.

Transient data 334 may comprise any information that may be utilized bythe static applet 253 and that is not stored across execution of variousprocesses. For example, transient data 334 may include process dependentdata that may be discarded or reset back to a default value after aprocess is executed.

As shown in FIG. 3, a shared interface 310 may include functions ormodules that may allow the updatable applet 252 to access the staticapplet 253. A Select Response Function 311 may be accessed afterupdatable applet 252 determines that processing of functions should becontinued and may determine the next function to be executed. AnAuthenticate Function 312 may help determine whether processing offunctions should continue and may verify whether a required level ofsecurity has been met. A Personalize Function 313 may handle all datapersonalization, which eliminates the need to re-personalize after a newversion of the updatable applet 252 is loaded and installed. An InitiateTransaction Function 314 may initiate a payment transaction process. ATransaction Response Function 315 may execute any code utilized for partof a payment transaction process. A Script Update Function 316 may applyan update of any code or data in the static applet 253 indicated by theupdatable applet 252.

A Get Data Function 317 and a Put Data Function 318 may allow for datasynchronization between updatable applet 252 and static applet 253. TheGet Data Function 317 may retrieve any data from the static applet 253that may be requested by the updatable applet 252. The Put Data Function318 may set any data in the static applet 253 that may be requested bythe updatable applet 252. In addition to the functions allowing theupdatable applet 252 to get and set data in static applet 253, thefunctions may also indicate whether a received command originatesexternal to the device (i.e., communication to the updatable applet 252from access device 106 or another entity external to mobile device 200)or internal to the device (i.e., communication from the updatable applet252). This information may change what kind of data the requestor may beallowed to access. When the functions are accessed internally, theupdatable applet 252 may be able to retrieve and save data internal tothe processes running within the static applet 253, such as internalindicators and transient values of transient data 334.

Some commands may be sent to a Process Commands Function 319, which maycheck the function map 330 to process the functions that it receives.This may be useful if updatable applet 252 wants to execute a functionthat is not accessible in shared interface 310, but is instead part ofprivate functions 320 of static applet 253. In this case, the functionmap 360 may indicate the memory location of the Process CommandsFunction 319 in shared interface 310 instead of the location of thefunction residing in private functions 320. Attempting to call a privatefunction in static applet 253 directly can cause an error. After theupdatable applet 252 calls the Process Commands Function 319, then thestatic applet 253 may call or execute one or more functions residing inprivate functions 320 or shared interface 310.

The private functions 320 may include functions or modules that thestatic applet 253 may not allow access to the updatable applet 252. Theprivate functions 320 may not be included in the shared interface 310and may be called internally within the static applet 253 in someembodiments. A Verify Certificate Function 321 may utilize a public keystored in the static applet 253 to determine whether a certificatecreated by the updatable applet 252 is valid. This verification processmay ensure that the appropriate entities are receiving and sendinginformation to each other. A Generate Cryptogram Function 322 maygenerate a transaction cryptogram for the application. Utility FunctionsModule 323 may comprise one or more functions that may carry out anyother processes to be utilized by static applet 253. In someembodiments, information may be communicated between the updatableapplet 252 and the static applet 253 to execute the update. The privatefunctions 320 may access shared interface 350 of updatable applet 252.

Updatable applet 252 may comprise a shared interface 350, privatefunctions 340, function map 360, as well as one or more data elements,including persistent data 362 and transient data 364. The sharedinterface 350 and private functions 340 may comprise one or morefunctions or modules.

The function map 360 may associate functions in updatable applet 252 andstatic applet 253 with corresponding locations in memory. The updatableapplet 252 may access the function map 360 to determine what code toexecute when processing functions. The function map 360 may be updatedwhen an update is made to the updatable applet 252. In some embodiments,the function map 360 may be synchronized to update the values in thefunction map 360 stored in the static applet 253.

The two function maps shown in FIG. 3 serve to demonstrate that both theupdatable applet 252 and the static applet 253 may comprise a copy of afunction map to utilize during execution of functions. For example, theupdatable applet 252 may update function map 360, which may then besynchronized with function map 330 of static applet 253. This ensuresthat the updatable applet 252 and the static applet 253 may utilize themost updated version of the function map storing appropriate memorylocations of executable code. In other embodiments, any function mapthat is stored in the device may be stored solely in the static applet,solely in the updatable applet, or outside of both the updatable andstatic applets.

Persistent data 362 may comprise any information that may remain instorage when utilized by the updatable applet 252 to execute variousprocesses. For example, persistent data 362 may include one or moreclasses that may be utilized to implement the functions defined by theupdatable applet 252.

Transient data 364 may comprise any information that may be utilized bythe updatable applet 252 and that is not stored across execution ofvarious processes. For example, transient data 364 may include processdependent data that may be discarded or reset back to a default valueafter a process is executed.

The shared interface 350 may include functions or modules that theupdatable applet 252 may allow access to the static applet 253. AnUpdate Data Function 351 may delete, replace, or update any data in theupdatable applet 252. Updated code 352 may comprise a code patch thatmay fix or add functionality to code in the updatable applet 252. Insome embodiments, information may be communicated between the updatableapplet 252 and the static applet 253 to execute the update.

The private functions 340 may include functions or modules that thestatic applet 253 may not directly access. The private functions 340 maynot be included in the shared interface 350 and may be utilizedinternally within the updatable applet 252 in some embodiments. A MainProcess Function 341 and a Select Function 342 may receive externalcommands, such as from access device 106, and access the function map360 to determine how to route the commands. For example, these functionsmay route the received commands to an Authenticate Function 312 ordirectly to a Select Response Function 311 of shared interface 310 inthe static applet 253. Utility Functions Module 343 may comprise one ormore functions that may carry out any other processes to be utilized byupdatable applet 252. Updated code 344 may comprise a code patch thatmay fix or add functionality to any code in private functions 340. Insome embodiments, information may be communicated between the updatableapplet 252 and the static applet 253 to execute the update. The privatefunctions 340 may access shared interface 310 of static applet 253.

The static applet 253 and updatable applet 252 may communicate throughan access control software element. The access control software elementmay be, for example, firewall 370 that may prevent unrestricted accessbetween one applet to another applet. The firewall 370 may ensure thatonly information that resides in shared interface 310 of static applet253 can be accessed by the updatable applet 252 and only informationthat resides in shared interface 350 of updatable applet 252 can beaccessed by static applet 253.

FIG. 4 shows a diagram illustrating how the static applet 253 andupdatable applet 252 may interface with each other through the use ofshared interfaces in accordance with some embodiments of the invention.Each shared interface in one applet may declare functions that aresuitable for access by a group of modules in another applet. As shown,static applet 253 comprises a module A 410 including a shared interface411. Updatable applet 252 comprises a module B 420 including a sharedinterface 421 and a module C 430 including a shared interface 431.Module A 410 may interface with Module B 420 and Module C 430 by sharedinterface 421 and shared interface 431, respectively. Module B andModule C may interface with Module A 410 by shared interface 411.

An access control software element, such as firewall 370, may preventunrestricted access between updatable applet 252 and static applet 253.Typically, functionality of an applet not exposed through a sharedinterface may be protected by the access control software element, suchas a Java Card firewall. In some embodiments, other types of firewallprotection or access controls may be implemented.

In some embodiments, updatable applet 252 may interface with staticapplet 253 using one or more shareable interface objects (SIOs). In someembodiments, such as when updatable applet 252 and static applet 253 arestored on a Java Card™ device, the SIOs may be implemented using theJava Card™ SIO framework. An SIO may enable one context (e.g., anupdatable applet 252) to access objects belonging to another context(e.g., a static applet 253). Typically, an SIO may be an instance ofshareable interface and only methods defined in the shareable interfaceare externally accessible. All data fields and other methods orfunctions of the SIO are protected by firewall 370.

In embodiments of the invention, each shared interface can declaremethods or functions that are suited for a group of modules to utilize.The static applet 253 and module A 410 may define shared interface 411,which can declare methods or functions that are suitable for a group ofmodules of updatable applet 252 (e.g., module B 420 and module C 430).In embodiments of the invention, updatable applet 252 may also definemultiple interfaces, each interface declaring methods or functions thatare suitable for modules of static applet 253 (e.g., module A 410). Thismay allow for communication to be controlled from the updatable applet252 towards the static applet 253, as well as from the static applet 253towards the updatable applet 252.

FIG. 3 and FIG. 4 show exemplary functions in static applet 253 andupdatable applet 252. While functions in static applet 253 and updatableapplet 252 are described with specific names and functionality,embodiments are not so limited. Static applet 253 and updatable applet252 may comprise any number of functions with suitable namingconventions that enable functionality of static applet 253 and updatableapplet 252 as described herein.

III. Applet Update Methods

FIG. 5 shows a method 500 for updating an updatable applet 252 accordingto some embodiments of the invention. Method 500 may be described withreference to FIG. 3. Method 500 may be performed by any suitable entityor combination of entities shown in FIG. 1.

An update in accordance with method 500 may be performed for anysuitable reason. For example, in some cases, the update may be toimplement new functionality for a payment device. In other cases, theupdate may be to fix bugs or other issues in existing functionality.

At step 501, data and/or application code to be updated is determined.In some cases, the update may be to replace existing data or code thatis part of or stored as an updatable applet 252 or static applet 253. Insome cases, the update may add data or code not already present inupdatable applet 252 or static applet 253. Hence, the location that thedata and code is to be updated to is also determined in this step.

At step 502, the determined updated code and data are added to theupdatable applet 252. This allows an update to be applied to thefunctionality of static applet 253 in a new memory location in updatableapplet 252 without altering the code and data of static applet 253. Theupdate may fix a bug or issue existing in static applet 253 or mayprovide additional functionality to static applet 253.

Updated code that is added by updatable applet 252 may enable ways fordata variables associated with an update to be kept in sync withcorresponding data variables in static applet 253.

Some data variables may only be utilized in a single function in staticapplet 253 that is updated in updatable applet 252. In this case, thisdata in static applet 253 may be indicated to be obsolete so that onlythe updated value accessible through updatable applet 252 is utilized infuture execution of the function.

Some data variables may be utilized by two or more functions, where oneof the functions is updated in the updatable applet 252. The datavariables may be kept in sync between updatable applet 252 and staticapplet 253. In this case, patched or updated code in updatable applet252 may retrieve relevant data from static applet 253 to utilize inexecution of the updated function. If any data value of the retrieveddata is modified, the updated value may be sent back to static applet253, which may utilize the value when calling another function.

Some data variables may be utilized locally in a function that calls asub-process that is updated in updatable applet 252. If the sub-processexecuted in updatable applet 252 updates the data variables, theseupdated values may be returned to the function in static applet 253,which calls the sub-process. This allows execution of the function to becompleted with the new data value.

At step 503, function map 360 is updated to reflect the memory locationof updated code during step 500. The function map 360 may be utilized byupdatable applet 252 to determine whether to send received commandseither to static applet 253 or to updated code within updatable applet252. For example, a function stored at address 0x400 of static applet253, may be updated. Since static applet 253 may not be modified, theupdated version of the function may be added to updatable applet 252 at,for example, address 0xB00. Subsequently, function map 360 may beupdated to point to address 0xB00 of updatable applet 252 instead ofaddress 0x400 of static applet 253. Hence, when the function isexecuted, the function map may indicate to execute the newest version ofcode located in updatable applet 252 instead of static applet 253. Anexample of an update to a function in static applet 253 is shown inFIGS. 6 and 7.

At step 504, the updated contents of the updatable applet 252 are loadedonto secure element 250 of mobile device 200.

At step 505, the static applet 253 may verify the source and/orauthenticity of the updatable applet 252, for example, by utilizingpublic/private key encryption. This additional security ensures that theupdatable applet 252 is sourced from an authentic server computer (e.g.,account management logic 230) and if so, the updatable applet 252 isallowed to utilize the shared interface 310 of static applet 253.

In some embodiments of the invention, the static applet 253 may containcryptographic elements such as a public key that may be utilized toverify the source and/or authenticity of the updatable applet 252. Theserver computer may utilize corresponding cryptographic elements such asa private key to create a certificate or signature based on certaininformation on the updatable applet 252. When the updatable applet 252is instantiated, the updatable applet 252 may contain a verificationvalue from the certificate. During installation of the updatable applet252, the updatable applet 252 may pass the certificate to the staticapplet 253. The static applet 253 may then utilize the public keypersonalized to it to check it against the certificate sent from theupdatable applet 252. If the verification value in the certificate canbe verified, the static applet 253 may allow the updatable applet 252access to shared interface 310 of static applet 253. The updatableapplet 252 may then be able to call any of the functions or methods inthe shared interface 310 of the static applet 253.

In some embodiments, the static applet 253 may keep track of anidentifier of updatable applet 252. For example, after the updatableapplet 252 is allowed access to shared interface 310 of static applet253, the static applet 253 may store the application identifier (AID) ofupdatable applet 252. This application identifier may be utilized bystatic applet 253 when requesting access to a shared interface ofupdatable applet 252. If the shared interface of updatable applet 252indicates that static applet 253 or a module of static applet 253 mayaccess information in the shared interface, firewall 370 may allowcommunication between static applet 253 to updatable applet 252.Subsequently, static applet 253 may access functions and data residingin the shared interface of updatable applet 252.

At step 506, function map 360 in updatable applet 252 may besynchronized with function map 330 in static applet 253. This ensuresthat any updates made in function map 360 of updatable applet 252 arereflected in function map 330 of static applet 253 and allows staticapplet 253 to know execute updated code when appropriate. In someembodiments, step 506 may be carried out during installation ofupdatable applet 252 in step 505. The “updated function map” referred toin subsequent steps may refer to either function map 330 or function map360, which may both comprise the most updated mapping of functions tocorresponding memory locations.

At step 507, the updatable applet 252 and static applet 253 may beexecuted to perform a process based on the updated function map throughan access control software element. The access control software element(e.g., a firewall) may ensure that modules that access data or code fromthe updatable applet 252 and the static applet 253 are specified inshared interfaces in the respective applets. The updated function mapindicates memory locations of updated code and may route functionsappropriately in order to perform a series of operations.

The updatable applet 252 and static applet 253 may access the updatedfunction map every time a function is executed. The function map mayindicate whether execution should be passed from the updatable applet252 to the static applet 253 or from the static applet 253 to theupdatable applet 252.

If the static applet 253 determines from the updated function map thatthe function to be executed next is located in updatable applet 252, thestatic applet 253 may return execution to the updatable applet 252. Insome embodiments, a return value may be sent to the updatable applet 252to indicate which function of the static applet 253 the execution wasreturned from or to include any other useful information.

For example, if three of four functions to be executed are located instatic applet 253 and the fourth function is located in updatable applet252, a return value may be sent from static applet 253 to updatableapplet 252 for verification. The return value may indicate to theupdatable applet 252 that the first three functions were performed bystatic applet 253. This may allow updatable applet 252 to check thatexecuted functions completed before it starts to execute the fourthupdated function to complete processing. In some embodiments, thisreturn value that may be sent when passing execution from the staticapplet 253 to the updatable applet 252 may be utilized to synchronizedata from the static applet 253. For example, the return value maycomprise the state of local variables or any parameter from the staticapplet 253 that may be utilized during execution of updated code theupdatable applet 252.

At step 508, the updatable applet 252 may access information from thestatic applet 253 during execution of updatable applet 252 and staticapplet 253. Step 508 may be carried out during or in parallel with step507. The information accessed is defined in shared interface 310 of thestatic applet 253. In some embodiments, data variables accessed fromstatic applet 253 may be modified by updatable applet 252 when afunction is executed. In this case, these modified values may be updatedback to static applet 253 at the end of the function. This ensures thatdata between updatable applet 252 and static applet 253 are kept insync. In some embodiments, updated contents may be represented as abinary file equal to the size of the updatable applet.

FIG. 6 shows an example of a function call flow diagram 600 and acorresponding function map 650 for one embodiment of the invention. Asshown, the function call flow diagram 600 comprises function A 610,function B 620, and function C 630. Function A 610 is stored inupdatable applet 252, whereas functions B 620 and C 630 are stored instatic applet 253. In addition, a function map 650 corresponding to thefunctions A-C 610-630 is shown. Updatable applet 252 and static applet253 may each store a copy of function map 650.

In the shown sequence of function calls, function A 610 calls function B620. In order to determine the location of the executable codecorresponding to function B 620, function map 650 is utilized todetermine that function B 620 is stored at address 0x200 of staticapplet 253. Function B 620 then calls function C 630. In order todetermine the location of the executable code corresponding to functionC 630, function map 650 is used to determine that function C 630 isstored at address 0x400 of static applet 253. Once function C 630completes, execution returns to function B 620. Once function B 620completes, execution returns to function A 610.

FIG. 7 shows an example of an updated function call flow diagram 700 anda corresponding updated function map 750 for one embodiment of theinvention. Updatable applet 252 and static applet 253 may each store acopy of updated function map 750.

As shown in FIG. 7, function A 710 is stored in the same location (i.e.,address 0x900 of updatable applet 252) as function A 610 in FIG. 6.Similarly, function B 720 is stored in the same location (i.e., address0x200 of static applet 253) as function B 620 in FIG. 6. However, theaddress pointed to in function map 750 for function C is a differentlocation (i.e., address 0xB00 of updatable applet 252) than that infunction map 650 for function C (i.e., address 0x400 of static applet253) in FIG. 6. The updated location of function C 730 may be due to anyof a variety of reasons. For example, a bug or other issues may havebeen found in function C 630 that was fixed in updated function C 730 oradditional functionality not present in function C 630 may have beenincorporated into function C 730.

In some embodiments, function C 630 may remain in static applet 253,since the contents of the static applet 253 may not be modifiable.However, since function map 750 no longer refers to this obsoleteversion (i.e., function C 630) of function C, function calls to functionC will no longer execute code at address 0x400 of static applet 253. Toreflect this, function C 630 is displayed shaded and in grey and theaddress indicating function C in function map 750 is updated to address0xB00 of updatable applet 252.

The sequence of function calls shown in FIG. 7 is similar to that shownin FIG. 6; function A 710 calls function B 720, and function B 720 thencalls function C 730. However, function map 750 is used to determinethat function C 730 is now stored at updatable applet address 0xB00.Accordingly, updated function C 730 is executed. Once function C 730completes, execution returns to function B 720. Once function B 720completes, execution returns to function A 710.

Updating the function map 750 in the manner shown allows embodiments ofthe invention to re-implement methods stored in static applet 253. Insome embodiments, a data map corresponding to data values may similarlybe used to re-assign data values stored in static applet 253.

IV. Exemplary Computer Apparatus

FIG. 8 is a high level block diagram of a computer system that may beused to implement any of the entities or components described above. Thesubsystems shown in FIG. 8 are interconnected via a system bus 875.Additional subsystems include a printer 803, keyboard 806, fixed disk807, and monitor 809, which is coupled to display adapter 804.Peripherals and input/output (I/O) devices, which couple to I/Ocontroller 800, can be connected to the computer system by any number ofmeans known in the art, such as a serial port. For example, serial port805 or external interface 808 can be used to connect the computerapparatus to a wide area network such as the Internet, a mouse inputdevice, or a scanner. The interconnection via system bus 875 allows thecentral processor 802 to communicate with each subsystem and to controlthe execution of instructions from system memory 801 or the fixed disk807, as well as the exchange of information between subsystems. Thesystem memory 801 and/or the fixed disk may embody a computer-readablemedium.

Storage media and computer-readable media for containing code, orportions of code, can include any appropriate media known or used in theart, including storage media and communication media, such as but notlimited to volatile and non-volatile, removable and non-removable mediaimplemented in any method or technology for storage and/or transmissionof information such as computer-readable instructions, data structures,program modules, or other data, including RAM, ROM, EEPROM, flash memoryor other memory technology, CD-ROM, digital versatile disk (DVD) orother optical storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic storage devices, data signals, datatransmissions, or any other medium which can be used to store ortransmit the desired information and which can be accessed by thecomputer. Based on the disclosure and teachings provided herein, aperson of ordinary skill in the art will appreciate other ways and/ormethods to implement the various embodiments.

The above description is illustrative and is not restrictive. Manyvariations of the invention may become apparent to those skilled in theart upon review of the disclosure. The scope of the invention may,therefore, be determined not with reference to the above description,but instead may be determined with reference to the pending claims alongwith their full scope or equivalents.

It may be understood that the present invention as described above canbe implemented in the form of control logic using computer software in amodular or integrated manner. Based on the disclosure and teachingsprovided herein, a person of ordinary skill in the art may know andappreciate other ways and/or methods to implement the present inventionusing hardware and a combination of hardware and software.

Any of the software components or functions described in thisapplication, may be implemented as software code to be executed by aprocessor using any suitable computer language such as, for example,Java, C++ or Perl using, for example, conventional or object-orientedtechniques. The software code may be stored as a series of instructions,or commands on a computer readable medium, such as a random accessmemory (RAM), a read only memory (ROM), a magnetic medium such as ahard-drive or a floppy disk, or an optical medium such as a CD-ROM. Anysuch computer readable medium may reside on or within a singlecomputational apparatus, and may be present on or within differentcomputational apparatuses within a system or network.

One or more features from any embodiment may be combined with one ormore features of any other embodiment without departing from the scopeof the invention.

A recitation of “a”, “an” or “the” is intended to mean “one or more”unless specifically indicated to the contrary.

What is claimed is:
 1. A method for updating an application having afirst applet comprising a first plurality of software functions and asecond applet comprising a second plurality of software functions storedon a computing device, the method comprising: determining, by a server,that the application on the computing device is to be updated;generating, by the server, a verification value using a private key of akey pair associated with the server; sending, by the server, theverification value and updated code for a first function in the firstplurality of software functions to the computing device, wherein theverification value is verified by the first applet using a public key ofthe key pair, wherein in response to the first applet verifying theverification value, the computing device is updated by storing theupdated code for the first function in the second applet instead of thefirst applet, and updating a first function map of the first applet anda second function map of the second applet to indicate that an updatedaddress of the first function corresponds to a location in the secondapplet, and wherein the application is executed to perform a processusing the updated first function map of the first applet and the updatedsecond function map of the second applet.
 2. The method of claim 1wherein at least one of the first or second applets is stored in atrusted execution environment.
 3. The method of claim 2, wherein thetrusted execution environment is a secure element.
 4. The method ofclaim 1, wherein the first applet communicates with the second appletvia an access control element.
 5. The method of claim 4, wherein theaccess control element is a firewall.
 6. The method of claim 1, whereinthe process being performed includes conducting a transaction using thecomputing device.
 7. The method of claim 6, wherein the process beingperformed includes generating a cryptogram for the transaction.
 8. Themethod of claim 1, wherein the second applet communicates with the firstapplet by accessing a plurality of shared interfaces in the firstapplet, wherein each shared interface comprises one or more functions inthe first plurality of software functions.
 9. The method of claim 1,wherein the first applet communicates with the second applet byaccessing a plurality of shared interfaces in the second applet, whereineach shared interface comprises one or more functions in the secondplurality of software functions.
 10. The method of claim 1, wherein thefirst applet contains personalization data and the second appletcontains no personalization data.
 11. The method of claim 1, wherein theverification value is a signature generated based on informationassociated with the second applet.
 12. A device comprising: a processor;and a non-transitory computer readable medium comprising code, whichwhen executed by the processor, implements operations for updating anapplication having a first applet comprising a first plurality ofsoftware functions and a second applet comprising a second plurality ofsoftware functions stored on a computing device, the operationsincluding: determining that the application on the computing device isto be updated; generating a verification value using a private key of akey pair; and sending the verification value and updated code for afirst function in the first plurality of software functions to thecomputing device, wherein the verification value is verified by thefirst applet using a public key of the key pair, wherein in response tothe first applet verifying the verification value, the computing deviceis updated by storing the updated code for the first function in thesecond applet instead of the first applet, and updating a first functionmap of the first applet and a second function map of the second appletto indicate that an updated address of the first function corresponds toa location in the second applet, and wherein the application is executedto perform a process using the updated first function map of the firstapplet and the updated second function map of the second applet.
 13. Thedevice of claim 12, wherein at least one of the first or second appletsis stored in a trusted execution environment.
 14. The device of claim13, wherein the trusted execution environment is a secure element. 15.The device of claim 12, wherein the first applet communicates with thesecond applet via an access control element.
 16. The device of claim 12,wherein the process being performed includes conducting a transactionusing the computing device.
 17. The device of claim 12, wherein thesecond applet communicates with the first applet by accessing aplurality of shared interfaces in the first applet, wherein each sharedinterface comprises one or more functions in the first plurality ofsoftware functions.
 18. The device of claim 12, wherein the first appletcommunicates with the second applet by accessing a plurality of sharedinterfaces in the second applet, wherein each shared interface comprisesone or more functions in the second plurality of software functions. 19.The device of claim 12, wherein the first applet containspersonalization data and the second applet contains no personalizationdata.
 20. The device of claim 12, wherein the first applet implements aset of one or more private functions that the second applet is notallowed to access.